Hello community, here is the log from the commit of package virglrenderer for openSUSE:Factory checked in at 2017-02-22 13:50:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/virglrenderer (Old) and /work/SRC/openSUSE:Factory/.virglrenderer.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "virglrenderer" Changes: -------- --- /work/SRC/openSUSE:Factory/virglrenderer/virglrenderer.changes 2016-06-09 16:03:33.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.virglrenderer.new/virglrenderer.changes 2017-02-22 13:50:49.987384393 +0100 @@ -1,0 +2,15 @@ +Fri Feb 17 11:20:43 UTC 2017 - l...@suse.com + +- Address various security issues +* Fix null pointer dereference in vrend_clear (CVE-2017-5937 bsc#1024232) + 0001-48f67f60-renderer-fix-NULL-pointer-deref-in-vrend_clear.patch +* Fix host memory leak issue in virgl_resource_attach_backing (CVE-2016-10214 bsc#1024244) + 0002-40b0e781-renderer-fix-a-leak-in-resource-attach.patch +* Fix memory leak in int blit context (CVE-2017-5993 bsc#1025505) + 0003-6eb13f7a-vrend-fix-memory-leak-in-int-blit-context.patch +* Fix heap overflow in vertex elements state create (CVE-2017-5994 bsc#1025507) + 0004-114688c5-renderer-fix-heap-overflow-in-vertex-elements-state-.patch +* Fix a stack overflow in set framebuffer state (CVE-2017-5957 bsc#1024993) + 0005-926b9b34-vrend-fix-a-stack-overflow-in-set-framebuffer-state.patch + +------------------------------------------------------------------- New: ---- 0001-48f67f60-renderer-fix-NULL-pointer-deref-in-vrend_clear.patch 0002-40b0e781-renderer-fix-a-leak-in-resource-attach.patch 0003-6eb13f7a-vrend-fix-memory-leak-in-int-blit-context.patch 0004-114688c5-renderer-fix-heap-overflow-in-vertex-elements-state-.patch 0005-926b9b34-vrend-fix-a-stack-overflow-in-set-framebuffer-state.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ virglrenderer.spec ++++++ --- /var/tmp/diff_new_pack.u8tGte/_old 2017-02-22 13:50:50.831264278 +0100 +++ /var/tmp/diff_new_pack.u8tGte/_new 2017-02-22 13:50:50.831264278 +0100 @@ -1,7 +1,7 @@ # # spec file for package virglrenderer # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,21 +25,28 @@ Group: Development/Libraries/C and C++ Url: https://virgil3d.github.io/ Source0: %{name}-%{version}.tar.bz2 +BuildRequires: Mesa-devel BuildRequires: autoconf BuildRequires: automake +BuildRequires: libtool +BuildRequires: pkg-config +BuildRequires: python +BuildRequires: zlib-devel BuildRequires: pkgconfig(egl) BuildRequires: pkgconfig(epoxy) BuildRequires: pkgconfig(gbm) BuildRequires: pkgconfig(lbxutil) BuildRequires: pkgconfig(libdrm) >= 2.4.50 -BuildRequires: libtool -BuildRequires: Mesa-devel -BuildRequires: pkg-config -BuildRequires: python BuildRequires: pkgconfig(x11) BuildRequires: pkgconfig(xext) BuildRequires: pkgconfig(xorg-macros) >= 1.8 -BuildRequires: zlib-devel + +#Upstream patches: +Patch0001: 0001-48f67f60-renderer-fix-NULL-pointer-deref-in-vrend_clear.patch +Patch0002: 0002-40b0e781-renderer-fix-a-leak-in-resource-attach.patch +Patch0003: 0003-6eb13f7a-vrend-fix-memory-leak-in-int-blit-context.patch +Patch0004: 0004-114688c5-renderer-fix-heap-overflow-in-vertex-elements-state-.patch +Patch0005: 0005-926b9b34-vrend-fix-a-stack-overflow-in-set-framebuffer-state.patch %description The virgil3d rendering library is a library used by @@ -79,6 +86,11 @@ %prep %setup -q -n %{name}-%{version} +%patch0001 -p1 +%patch0002 -p1 +%patch0003 -p1 +%patch0004 -p1 +%patch0005 -p1 %build sed -i -e 's|@CODE_COVERAGE_RULES@| |g' Makefile.am ++++++ 0001-48f67f60-renderer-fix-NULL-pointer-deref-in-vrend_clear.patch ++++++ >From 48f67f60967f963b698ec8df57ec6912a43d6282 Mon Sep 17 00:00:00 2001 From: Li Qiang <liq...@gmail.com> Date: Thu, 29 Dec 2016 05:57:40 -0500 Subject: [PATCH] renderer: fix NULL pointer deref in vrend_clear In vrend clear dispatch function, the 'buffers' is read from guest. A malicious guest can specify a bad 'buffers' to make a the function call util_format_is_pure_uint() even the 'ctx->sub->surf[i]' is NULL. This can cause a NULL pointer deref. Make a sanity check to avoid this. [airlied: use a define] Signed-off-by: Li Qiang <liq...@gmail.com> Signed-off-by: Dave Airlie <airl...@redhat.com> Index: virglrenderer-0.5.0/src/vrend_renderer.c =================================================================== --- virglrenderer-0.5.0.orig/src/vrend_renderer.c +++ virglrenderer-0.5.0/src/vrend_renderer.c @@ -325,7 +325,7 @@ struct vrend_sub_context { uint32_t fb_id; int nr_cbufs, old_nr_cbufs; struct vrend_surface *zsurf; - struct vrend_surface *surf[8]; + struct vrend_surface *surf[PIPE_MAX_COLOR_BUFS]; struct vrend_viewport vps[PIPE_MAX_VIEWPORTS]; float depth_transform, depth_scale; @@ -1481,7 +1481,7 @@ static void vrend_hw_emit_framebuffer_st } void vrend_set_framebuffer_state(struct vrend_context *ctx, - uint32_t nr_cbufs, uint32_t surf_handle[8], + uint32_t nr_cbufs, uint32_t surf_handle[PIPE_MAX_COLOR_BUFS], uint32_t zsurf_handle) { struct vrend_surface *surf, *zsurf; @@ -2354,10 +2354,10 @@ void vrend_clear(struct vrend_context *c mask = buffers >> 2; while (mask) { i = u_bit_scan(&mask); - if (util_format_is_pure_uint(ctx->sub->surf[i]->format)) + if (i < PIPE_MAX_COLOR_BUFS && ctx->sub->surf[i] && util_format_is_pure_uint(ctx->sub->surf[i] && ctx->sub->surf[i]->format)) glClearBufferuiv(GL_COLOR, i, (GLuint *)color); - else if (util_format_is_pure_sint(ctx->sub->surf[i]->format)) + else if (i < PIPE_MAX_COLOR_BUFS && ctx->sub->surf[i] && util_format_is_pure_sint(ctx->sub->surf[i] && ctx->sub->surf[i]->format)) glClearBufferiv(GL_COLOR, i, (GLint *)color); else Index: virglrenderer-0.5.0/src/vrend_renderer.h =================================================================== --- virglrenderer-0.5.0.orig/src/vrend_renderer.h +++ virglrenderer-0.5.0/src/vrend_renderer.h @@ -127,7 +127,7 @@ void vrend_draw_vbo(struct vrend_context uint32_t cso); void vrend_set_framebuffer_state(struct vrend_context *ctx, - uint32_t nr_cbufs, uint32_t surf_handle[8], + uint32_t nr_cbufs, uint32_t surf_handle[PIPE_MAX_COLOR_BUFS], uint32_t zsurf_handle); struct vrend_context *vrend_create_context(int id, uint32_t nlen, const char *debug_name); ++++++ 0002-40b0e781-renderer-fix-a-leak-in-resource-attach.patch ++++++ >From 40b0e7813325b08077b6f541b3989edb2d86d837 Mon Sep 17 00:00:00 2001 From: Li Qiang <liq...@gmail.com> Date: Mon, 26 Dec 2016 21:23:42 -0500 Subject: [PATCH] renderer: fix a leak in resource attach Just return if the resource has been attached a iov to avoid memory leak. Signed-off-by: Li Qiang <liq...@gmail.com> Signed-off-by: Dave Airlie <airl...@redhat.com> Index: virglrenderer-0.5.0/src/vrend_renderer.c =================================================================== --- virglrenderer-0.5.0.orig/src/vrend_renderer.c +++ virglrenderer-0.5.0/src/vrend_renderer.c @@ -4031,6 +4031,9 @@ int vrend_renderer_resource_attach_iov(i if (!res) return EINVAL; + if (res->iov) + return 0; + /* work out size and max resource size */ res->iov = iov; res->num_iovs = num_iovs; ++++++ 0003-6eb13f7a-vrend-fix-memory-leak-in-int-blit-context.patch ++++++ >From 6eb13f7a2dcf391ec9e19b4c2a79e68305f63c22 Mon Sep 17 00:00:00 2001 From: Li Qiang <liq...@gmail.com> Date: Mon, 26 Dec 2016 21:23:45 -0500 Subject: [PATCH] vrend: fix memory leak in int blit context The 'blit_ctx->initialised' is not setted to true. Every time init blit context, it will create a new 'blit_ctx->gl_context' thus causing a memory leak. This patch avoid this. Signed-off-by: Li Qiang <liq...@gmail.com> Signed-off-by: Dave Airlie <airl...@redhat.com> Index: virglrenderer-0.5.0/src/vrend_blitter.c =================================================================== --- virglrenderer-0.5.0.orig/src/vrend_blitter.c +++ virglrenderer-0.5.0/src/vrend_blitter.c @@ -289,6 +289,7 @@ static void vrend_renderer_init_blit_ctx return; } + blit_ctx->initialised = true; ctx_params.shared = true; ctx_params.major_ver = VREND_GL_VER_MAJOR; ctx_params.minor_ver = VREND_GL_VER_MINOR; ++++++ 0004-114688c5-renderer-fix-heap-overflow-in-vertex-elements-state-.patch ++++++ >From 114688c526fe45f341d75ccd1d85473c3b08f7a7 Mon Sep 17 00:00:00 2001 From: Li Qiang <liq...@gmail.com> Date: Tue, 27 Dec 2016 04:56:16 -0500 Subject: [PATCH] renderer: fix heap overflow in vertex elements state create MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 'num_elements' can be controlled by the guest but the 'vrend_vertex_element_array' has a fixed 'elements' field. This can cause a heap overflow. Add sanity check of 'num_elements'. Signed-off-by: Li Qiang <liq...@gmail.com> Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com> Signed-off-by: Dave Airlie <airl...@redhat.com> Index: virglrenderer-0.5.0/src/vrend_renderer.c =================================================================== --- virglrenderer-0.5.0.orig/src/vrend_renderer.c +++ virglrenderer-0.5.0/src/vrend_renderer.c @@ -1656,6 +1656,9 @@ int vrend_create_vertex_elements_state(s if (!v) return ENOMEM; + if (num_elements > PIPE_MAX_ATTRIBS) + return EINVAL; + v->count = num_elements; for (i = 0; i < num_elements; i++) { memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element)); ++++++ 0005-926b9b34-vrend-fix-a-stack-overflow-in-set-framebuffer-state.patch ++++++ >From 926b9b3460a48f6454d8bbe9e44313d86a65447f Mon Sep 17 00:00:00 2001 From: Li Qiang <liq...@gmail.com> Date: Mon, 26 Dec 2016 21:23:44 -0500 Subject: [PATCH] vrend: fix a stack overflow in set framebuffer state Add the sanity check of the 'nr_cbufs' to avoid stack overflow. Signed-off-by: Li Qiang <liq...@gmail.com> Signed-off-by: Dave Airlie <airl...@redhat.com> Index: virglrenderer-0.5.0/src/vrend_decode.c =================================================================== --- virglrenderer-0.5.0.orig/src/vrend_decode.c +++ virglrenderer-0.5.0/src/vrend_decode.c @@ -136,6 +136,10 @@ static int vrend_decode_set_framebuffer_ if (length != (2 + nr_cbufs)) return EINVAL; + + if (nr_cbufs > 8) + return EINVAL; + for (i = 0; i < nr_cbufs; i++) surf_handle[i] = get_buf_entry(ctx, VIRGL_SET_FRAMEBUFFER_STATE_CBUF_HANDLE(i)); vrend_set_framebuffer_state(ctx->grctx, nr_cbufs, surf_handle, zsurf_handle);
